SOLVED

Apply sensitivity labels using PowerShell

Brass Contributor

Is it possible to apply sensitivity labels to documents in SharePoint (not sites or groups) using PowerShell?

23 Replies
this is just for operations in the admin center, I need to be able to add the labels to the documents programmatically
You can now use Security & Compliance Center PowerShell to create and configure all the settings you see in your labeling admin center. This means that in addition to using PowerShell for settings that aren't available in the labeling admin centers, you can now fully script the creation and maintenance of sensitivity labels and sensitivity label policies.
still doesn't answer my question. I'm not looking to script the creation and maintenance of the labels, that's already been done. I'm looking to script the application of the labels to documents in SharePoint. Instead of the user having to label thousands of documents manually, is there a way to script it?
You're not very clear when asking a question...

Try using the New-AutoSensitivityLabelPolicy then.
best response confirmed by JSlei (Brass Contributor)
Solution
There is no cmdlet to apply labels to individual files, afaik. Set-AIPFileLabel only works on local files. Using the MIP SDK is probably the way to go, at least until Microsoft introduces a cmdlet/Graph API endpoints.
Funnily enough we do have a cmdlet to remove labels: https://office365itpros.com/2021/03/25/decrypt-sharepoint-online-documents-graph/
Perhaps this will solve your use case, as I don’t understand the current situation tbh.

With this update, all newly uploaded documents to a document library can “inherit” the configured label for the document library (if not already labeled).

https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=85621
Vasil, that’s why there’s auto-labeling. The solution is intended to allow tenants to protect existing content at scale without needing anyone to review large quantities of documents.
thanks, this answered my question.

@JSlei Hello again, didn't you look for an option to protect at scale without anyone have to review the documents? Are you saying this isn't applicable even if using PowerShell cmdlets for it?

https://office365itpros.com/2020/01/27/microsoft-previews-auto-label-policies-sensitivity-labels/

 

"Manual application of sensitivity labels is a good way to protect new messages and documents but does nothing to deal with the mass of documents and messages that already exist inside Office 365. To address the issue, Microsoft is running a preview program for auto-labeling Word, Excel, and PowerPoint files stored in SharePoint Online sites and OneDrive for Business accounts (Exchange Online will come later). The solution is intended to allow Office 365 tenants to protect existing content at scale without needing anyone to review large quantities of documents."

@JSlei @Vasil Michev I reached out to a connection with over a decade as "AIP" MVP and got the response.

 

"It is definitely possible to solve with a script, however, with the MIP SDK. But why bother, MCAS can put a label on all documents in an SP site. Then Microsoft is rebuilding SharePoint online right now to force all files that do not have a manually set label in an SP site based on its container label."

 

The latter being the roadmap item I linked to above scheduled for release in December.

@JSlei About MCAS and Auto-labeling Microsoft Cloud App Security and Sensitivity Labels – Joanne C Klein

 

(a bit old but still relevant)

thank you for following up on this. I am aware of the auto-labeling policies but they can only label files based on content of the file. I was looking for a solution that allows me to label the files based on different requirements and I believe building a solution that calls the MIP SDK is the way to go.

@JSlei @Vasil Michev @ChristianJBergstrom 

 

Hi All,

Just bringing a slightly similar scenario to this thread - and wondering if anyone can confirm if it's possible? We have a Client with millions of Docs in Sharepoint 2013 OnPrem today where they have been very rigorous in using TermSet from the TermStore to tag all sensitive docs/files with the appropriate MetaData and this has been in use for some 6 - 7 years.

 

We are now assisting with the Sharepoint Migration and the question becomes - what is the *best* (least painful/best chance of success) method of ensuring that all the contents get from - Sharepoint 2013 onPrem to Sharepoint Online:

  • It appears that SIT's and AutoLabelling cannot identify TermSet?
  • This being the case - should we be looking at applying SL's before the move?
    • This seems the lower risk?
  • Should we focus on MIP SDK or simply script this via PowerShell to Identify each file and add the appropriate SL?

Create and manage terms in a term set - SharePoint in Microsoft 365 | Microsoft Docs

One of the key things we are trying to achieve is do this "at scale" without having to open each file individually - if AutoLabelling is the way to go then fine, but from what we have reviewed so far this is NOT a case where we need to identify docs based on SIT's - the intent is to simply identify docs/files based on TermSet attributes and then apply the matching SL

 

Any advice or suggestions welcome, we're still researching, but thought it might be worth checking if anyone else has come across this?

 

@David Caddick 

 

The challenges with a manual approach are user error and scalability. Not to mention that once you have completed the project it will only be for a moment in time and if an employee creates a sensitive file 15 minutes after you've finished then it will be missed.

 

The best way to do this may be this third-party tool (Data Validation & Classification Tools | AvePoint) which will automate this process with AI rules. Disclaimer- I am currently employed by AvePoint. 

 

Hope this helps.

We have applied labels in sharepoint using MIP SDK and it has worked very well for us. While auto-classification is good, there are situations where organizations are not able to create classification rules and maintain them. We call this approach Project Based Label approach or Location based label approach. User requests a SharePoint SIte or teams and at that time we programatically create the labels and assign those labels to the site with appropriate permissions. When a document is uploaded to the site, we protect it using the label. This is an extensive topic and it took us a year to build out the complete capability but it works extremely well.
Hi Niraj!
Could you elaborate on your approach? I'm looking to do the same thing. We automate the creation of our client sites. It would make sense to classify these sites and all the documents within them with a default sensitivity label when they're created.

How would someone using PowerShell change a label on a document?  For example, a document was classified as Confidential.  A request has come in to have the document reclassified as Internal.   Is there a way for the Security Admin to change the classification of the document assuming we do not allow our base to change the classification themselves?

 

 

Hello, understand this a month later but just wanted to add that you can use sensitivity labels for containers (groups, sites, teams) with the disclaimer that they are only for controlling access and sharing really, not the files in the library. Until this is being released https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=85621 (they will inherit the library label if not protected) you'd have to either use Microsoft Defender for Cloud Apps to protect the files in that library or implement "Service-side" labeling, a.k.a auto-labeling for labeling at rest at scale, this is when content is already in OneDrive and SharePoint.

You have some other use cases in this thread mentioning the MIP SDK, but I have no experience working with that.
1 best response

Accepted Solutions
best response confirmed by JSlei (Brass Contributor)
Solution
There is no cmdlet to apply labels to individual files, afaik. Set-AIPFileLabel only works on local files. Using the MIP SDK is probably the way to go, at least until Microsoft introduces a cmdlet/Graph API endpoints.
Funnily enough we do have a cmdlet to remove labels: https://office365itpros.com/2021/03/25/decrypt-sharepoint-online-documents-graph/

View solution in original post